samba - Nov 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

On 24/11/2022 15:54, Juan Ignacio wrote:
> 
> Are you sure that there aren't any other 'idmap config' lines ?
> 
> I would have expected lines for your DOMAIN
> 
> 
> All the lines on the member file server are these.
> 
> vfs objects = acl_xattr map acl inherit = yes store dos attributes > yes
> 
> #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> refresh tickets = yes winbind use default domain = yes winbind cache
> time = 60
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts # and
> groups on a domain member. The default (*) domain: # - must not
> overlap with any domain ID mapping configuration! # - must use a
> read-write-enabled back end, such as tdb. # - Adding just this is not
> enough # - You must set a DOMAIN backend configuration, see below 
> idmap config * : backend = tdb idmap config * : range = 3000-7999
> 
> username map = /usr/local/samba/etc/user.map
> 
> The whole idea behind syncing idmap.ldb between DC's is to ensure
> that they all use the ID's.
> 
> 
> Yea but i have some differences between the ad-dc and member dc,

What is a 'member dc' ??

In Samba AD, you have DC's (which are all equal except for the FSMO
roles, this include RODC's) and Unix & Windows domain members.

The domain members get their ID's from the DC's, Windows uses the RID
and Unix uses whatever winbind idmap backend that is chosen.

If your 'member dc' is just another DC, then that smb.conf is not valid
because you do not use the 'idmap config' lines in a DC smb.conf

If your 'member dc' is actually a Unix domain member, then that smb.conf
is not valid because there are no 'DOMAIN' 'idmap config' lines.

Rowland

>
> What is a 'member dc' ??

Sorry I must say a member of the DC or domain member as i said before.
Language Troubles.

If your 'member dc' is just another DC, then that smb.conf is not
valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>
No its member is a Unix Domain Member to clarify, so the smb.conf seems OK.

I didn't make any changes on it, I must know if maybe I need to check
resolv.conf and hosts and other info before demoting the primary old
ad-dc...

If your 'member dc' is actually a Unix domain member, then that
smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config'
lines.
>
Yea but we put these lines a long time ago, this is the complete global of
the member file server.


[global]
       netbios name = FILESERVER
       security = ADS
       workgroup = OURDOMAIN
       realm = OURDOMAIN.ORG

       log file = /var/log/samba/%m.log
       log level = 10

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        #WINBIND
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind cache time = 60


       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use a read-write-enabled back end, such as tdb.
       # - Adding just this is not enough
       # - You must set a DOMAIN backend configuration, see below
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999

        username map = /usr/local/samba/etc/user.map

The samba was built from sources.


El jue, 24 nov 2022 a las 13:59, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 24/11/2022 15:54, Juan Ignacio wrote:
> >
> > Are you sure that there aren't any other 'idmap config'
lines ?
> >
> > I would have expected lines for your DOMAIN
> >
> >
> > All the lines on the member file server are these.
> >
> > vfs objects = acl_xattr map acl inherit = yes store dos attributes
> > yes
> >
> > #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> > refresh tickets = yes winbind use default domain = yes winbind cache
> > time = 60
> >
> >
> > # Default ID mapping configuration for local BUILTIN accounts # and
> > groups on a domain member. The default (*) domain: # - must not
> > overlap with any domain ID mapping configuration! # - must use a
> > read-write-enabled back end, such as tdb. # - Adding just this is not
> > enough # - You must set a DOMAIN backend configuration, see below
> > idmap config * : backend = tdb idmap config * : range = 3000-7999
> >
> > username map = /usr/local/samba/etc/user.map
> >
> > The whole idea behind syncing idmap.ldb between DC's is to ensure
> > that they all use the ID's.
> >
> >
> > Yea but i have some differences between the ad-dc and member dc,
>
>
> What is a 'member dc' ??
>
> In Samba AD, you have DC's (which are all equal except for the FSMO
> roles, this include RODC's) and Unix & Windows domain members.
>
> The domain members get their ID's from the DC's, Windows uses the
RID
> and Unix uses whatever winbind idmap backend that is chosen.
>
> If your 'member dc' is just another DC, then that smb.conf is not
valid
> because you do not use the 'idmap config' lines in a DC smb.conf
>
> If your 'member dc' is actually a Unix domain member, then that
smb.conf
> is not valid because there are no 'DOMAIN' 'idmap config'
lines.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>